Directed-Graph Decryption

Updated 9 December 2025

Directed-graph decryption is a cryptographic methodology that applies trellis decoders to noise-enhanced high-memory convolutional codes for secure and efficient ciphertext recovery.
It leverages deliberate polynomial ambiguity and masking techniques to create exponential barriers against algebraic and information-set decoding attacks.
The approach offers post-quantum security with scalable hardware/software implementations, achieving constant per-bit processing and high throughput.

Directed-graph decryption is a cryptographic methodology that utilizes directed-graph-based algorithms, specifically trellis decoders, to efficiently and securely decrypt ciphertexts encoded with noise-enhanced high-memory convolutional codes. This approach is structurally distinct from traditional code-based cryptosystems, presenting both algebraic and complexity-theoretic challenges to adversaries, particularly in the context of post-quantum cryptography. Directed-graph decryption leverages polynomial ambiguity, introduced via encoded masking and deliberate polynomial-division noise, to create substantial barriers for algebraic and information-set decoding (ISD) attacks, while still allowing authorized recipients polynomial-time decryption with constant per-bit computational cost (Ariel, 2 Dec 2025).

1. Algebraic Construction: High-Memory Convolutional Codes

Directed-graph decryption schemes operate by encoding a message polynomial $m(x) \in \mathbb{F}_2[x]$ (degree $< K$ ) using a convolutional code generator matrix with enhanced memory. This generator comprises a base matrix $G_p(x) = [p_0(x)\, \ldots\, p_{n-1}(x)]$ of memory $p$ and a set of high-memory polynomials $G_Q(x) = [q_0(x)\, \ldots\, q_{n-1}(x)]$ with degrees up to $q$ , combined element-wise to yield

$G_{pQ}(x) = [p_0(x)q_0(x),\, \ldots,\, p_{n-1}(x)q_{n-1}(x)].$

A masking matrix $\tilde{G}$ of rank $\ell \ll K$ is added for polynomial ambiguity. The dense public generator $G(x)$ is constructed by scrambling and permuting $G_{pQ} + \tilde{G}$ via invertible matrices $S$ and $R$ . The public encoder is given by

$c(x) = m(x)G(x) + e(x),$

where $e(x)$ is a random error polynomial of specified Hamming weight. The private key contains $(S, R, G_p(x), G_Q(x), \tilde{G})$ and a CRC-polynomial $r(x)$ for failure detection (Ariel, 2 Dec 2025).

2. Trellis Modeling and Polynomial Ambiguity

The decryption process models the convolutional code using a trellis $T = (V, E)$ :

Nodes: $V = \{S_t^s : t = 0, \ldots, T; s \in \mathbb{F}_2^\mu \}$ , with $\mu = p+q$ for $G_{pQ}$ but $\mu = p$ for the honest decoder.
Edges: Each state $s$ at time $t$ branches to $s'$ for both $u \in \{0,1\}$ , labeled by $[u \cdot p_0(x), \ldots, u \cdot p_{n-1}(x)]$ .

The presence of $\tilde{G}$ (mask) and the indeterminate polynomial-division remainders generates up to $2^\ell$ valid “demasked” polynomial candidates for each ciphertext. The trellis is extended with $\ell$ “ambiguity edges” at the start, accommodating all possible linear combinations from the rowspace of $\tilde{G}$ . After ambiguity is resolved, decoding proceeds as a standard convolutional trellis over $p$ memory stages (Ariel, 2 Dec 2025).

3. Directed-Graph Decryption Algorithm and Complexity

Decryption is realized through the following stages:

Invert permutation: Apply $R^T$ to the ciphertext.
Mask ambiguity: For each candidate in the $2^\ell$ -sized linear span of $\tilde{G}$ , generate a demasked vector.
Polynomial division: For each demasked candidate, divide component streams by their corresponding $q_j(x)$ , discard remainders, and reinterleave.
Parallel trellis decoding: Launch $2^\ell$ parallel Viterbi decoders, each working on a $\mu = p$ memory trellis of length $L = N/n$ .
Verification: Use a CRC check to identify the valid plaintext, back-transform by $S^{-1}$ if successful.

The honest decryption complexity is $O(2^\ell L 2^p)$ , which is $O(N)$ since $\ell, p$ are small constants (e.g., $\ell \leq 5, p \approx 14$ ), and the cost per bit is constant. Adversarial decryption, lacking $\tilde{G}$ and the scramble/permutation matrices, requires an exponential search ( $2^K$ for K-dimensional codes) or algebraic attacks of equivalent cost. These operations are exponential in $K$ (Ariel, 2 Dec 2025).

4. Cryptanalytic Security and Comparison with Classic McEliece

Directed-graph decryption with noise-enhanced memory convolutional codes (labeled "MCC" for Masked Convolutional Codes, Editor’s term) achieves a substantial security improvement over Classic McEliece. For code parameters $N \approx 5600$ , $K \approx 2600$ , effective error weight $t \approx 392$ , the ISD complexity is

$C_{ISD}(MCC) \simeq 2^{0.29 \cdot (5600-392)} \simeq 2^{374}$

compared to $2^{138}$ for a $(4096, 3556, 45)$ Goppa code in Classic McEliece. This yields a margin exceeding $2^{236} > 2^{200}$ operations. Under Grover quantum speedup, margins remain greater than $2^{118}$ . Thus, the system offers security exceeding $2^{200}$ against both classical and quantum ISD attacks (Ariel, 2 Dec 2025).

Scheme	Key Parameters	Best ISD Complexity	Security Margin (vs Classic)
Classic McEliece	$N=4096, K=3556, t=45$	$2^{138}$	Baseline
MCC (this scheme)	$N=5600, K=2600, t=392$	$2^{374}$	$>2^{200}$

5. Scalability, Per-Bit Cost, and Parallelism

The per-bit computational cost for honest decryption is

$\text{Cost}_{\text{per bit}} \simeq 2^\ell \cdot 2^p \cdot O(1) = O(1)$

as $\ell$ and $p$ are constant parameters, invariant with message length $N$ . This enables decryption complexity to scale linearly in the ciphertext size, with modern hardware (FPGAs, GPUs, SIMD CPUs) able to accommodate the necessary $2^\ell \cdot 2^p$ ACS modules (e.g., $2^{19} \approx 5 \times 10^5$ for $\ell=5, p=14$ ), supporting gigabit-per-second throughput on sizable messages. Arbitrary plaintext lengths are supported without cost increase per bit (Ariel, 2 Dec 2025).

6. Hardware and Software Implementation

Directed-graph decryption benefits from inherent parallelism. Typical hardware architectures integrate:

A matrix-multiply/unmask block, polynomial-division engine, and $\ell$ -bit demultiplexer to feed a bank of $2^\ell$ parallel Viterbi cores.
FPGA implementations use pipelined ACS arrays across $p+1$ stages, sharing on-chip RAM.
ASIC/SoC realizations involve dedicated polynomial dividers and Viterbi cores connected via broadcast switches.
On software platforms, each mask candidate is mapped to a thread or vector lane, using bit-packed ACS updates and vector reductions for minimum Hamming weight computation.

Example performance measures for representative parameters ( $\ell = 5, p = 14, N \approx 10^4$ ) are:

FPGA (XC7A200T): $\sim$ 0.8 Gbit/s decryption at 200 MHz clock
ARM Neon (SW): $\sim$ 200 Mbit/s per core (128-bit SIMD)

This high parallelism and constant per-bit cost allow the scheme to provide both strong post-quantum security and practical throughput in contemporary hardware and software environments (Ariel, 2 Dec 2025).

Markdown Upgrade to Chat

References (1)

Decryption thorough polynomial ambiguity: noise-enhanced high-memory convolutional codes for post-quantum cryptography (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Directed-Graph Decryption.